C-Fu Posted May 19, 2021 Share #1 Posted May 19, 2021 Today Edge alerted me to this: Luckily password is a generated useless one, but it's still a bit concerning. Is this true? 1 Quote Link to comment Share on other sites More sharing options...
KoenigLudwig Posted May 20, 2021 Share #2 Posted May 20, 2021 Well no denial is a sort of confirmation 🙄 Quote Link to comment Share on other sites More sharing options...
Guest Posted May 20, 2021 Share #3 Posted May 20, 2021 (edited) If you use the same username / password pair on another site, the leak does not necessarily come from xpenology. This kind of leak checker is based only on the username / password pair. Edited May 20, 2021 by EVOTk Quote Link to comment Share on other sites More sharing options...
KoenigLudwig Posted May 21, 2021 Share #4 Posted May 21, 2021 If I understand correctly, the password was individually created for this page... Quote Link to comment Share on other sites More sharing options...
jensmander Posted May 21, 2021 Share #5 Posted May 21, 2021 It‘s not the username AND password in combination but only the password itself which has been leaked. Even generated passwords can be found in those databases. 1 Quote Link to comment Share on other sites More sharing options...
SnowDrifter Posted May 22, 2021 Share #6 Posted May 22, 2021 Nothing from haveibeenpwned / dashlane Will change to be on the safe side though Standard reminder to never reuse passwords or derivatives of 1 Quote Link to comment Share on other sites More sharing options...
KoenigLudwig Posted May 22, 2021 Share #7 Posted May 22, 2021 I just set up a nextcloud and saw this: Es wird ein Hash des Passwortes erstellt und dessen ersten 5 Zeichen an haveibeenpwned.com gesendet. Danach wird eine Liste aller Hashes empfangen, welche mit diesen 5 Zeichen beginnen. Nextcloud prüft nun ob der Hash des eingegebenen Passwortes in der Liste der Hashes enthalten ist. (basically saying, only five first parts of hash are sent to HIBP, so maybe MS does the same, and its a fals positive..) @C-Fu Have you tried directly with HIBP? Quote Link to comment Share on other sites More sharing options...
C-Fu Posted May 24, 2021 Author Share #8 Posted May 24, 2021 (edited) On 5/23/2021 at 5:18 AM, KoenigLudwig said: I just set up a nextcloud and saw this: Es wird ein Hash des Passwortes erstellt und dessen ersten 5 Zeichen an haveibeenpwned.com gesendet. Danach wird eine Liste aller Hashes empfangen, welche mit diesen 5 Zeichen beginnen. Nextcloud prüft nun ob der Hash des eingegebenen Passwortes in der Liste der Hashes enthalten ist. (basically saying, only five first parts of hash are sent to HIBP, so maybe MS does the same, and its a fals positive..) @C-Fu Have you tried directly with HIBP? yeah, but since it's a very old email with tons of (useless) logins to old unused sites like dropbox and linkedin, in all intents and purposes it's useless in regards to xpenology.com IMO - which also uses a generated password. Anyway after rereading, Edge told me of a leaked (generated) password, not site. So I suppose I put it wrongly, perhaps not xpenology.com that got hacked, just my account's particular password...... ? Oh well. All is good 😁 sorry for the heart attack anybody! Edited May 24, 2021 by C-Fu Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.